CVE-2026-32998

Vulnerability

A remote code execution vulnerability exists in Veeam Service Provider Console versions 9.2.0.33215 and all earlier version 9 builds. The flaw is related to script execution within alarms, which is disabled by default in v9.2 unless alarms are already configured with a script execution action. [1]

Exploitation

An attacker with network access and low privileges (CVSS PR:L) can exploit this vulnerability without user interaction. The attacker leverages the script execution functionality in alarms to execute arbitrary code on the Veeam Service Provider Console server. [1]

Impact

Successful exploitation enables remote code execution with high impact on confidentiality, integrity, and availability (CVSS VC:H/VI:H/VA:H). The attacker can fully compromise the VSPC server and potentially the managed infrastructure. [1]

Mitigation

Update to Veeam Service Provider Console 9.2.1, which resolves the vulnerability. If update is not possible, ensure no alarms are configured with script execution actions to disable the vulnerable feature. The vulnerability is not applicable if no such alarms exist. Check the configuration file at C:\ProgramData\Veeam\Veeam Availab… for existing alarms. [1]